summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/README.Debian68
-rw-r--r--debian/changelog3
-rw-r--r--debian/openssh-server.config23
-rw-r--r--debian/openssh-server.postinst12
-rw-r--r--debian/openssh-server.templates15
-rw-r--r--debian/po/POTFILES.in1
-rw-r--r--debian/po/templates.pot46
7 files changed, 134 insertions, 34 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index 6e6bf9dc8..4d16eb4d8 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -15,39 +15,41 @@ Privilege separation is turned on by default, so, if you decide you
15want it turned off, you need to add "UsePrivilegeSeparation no" to 15want it turned off, you need to add "UsePrivilegeSeparation no" to
16/etc/ssh/sshd_config. 16/etc/ssh/sshd_config.
17 17
18PermitRootLogin set to yes 18PermitRootLogin
19-------------------------- 19---------------
20 20
21This is now the default setting (in line with upstream), and people 21As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
22who asked for an automatically-generated configuration file when 22without-password". This disables password authentication for root, foiling
23upgrading from potato (or on a new install) will have this setting in 23password dictionary attacks on the root user. Some sites may wish to use
24their /etc/ssh/sshd_config file. 24the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
25 25but note that "PermitRootLogin no" will break setups that SSH to root with a
26Should you wish to change this setting, edit /etc/ssh/sshd_config, and 26forced command to take full-system backups. You can use PermitRootLogin in
27change: 27a Match block if you want finer-grained control here.
28PermitRootLogin yes 28
29to: 29For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
30PermitRootLogin no 30line with upstream. To avoid breaking local setups, this is still true for
31 31installations upgraded from before 1:6.6p1-1. If you wish to change this,
32Having PermitRootLogin set to yes means that an attacker that knows 32you should edit /etc/ssh/sshd_config, change it manually, and run "service
33the root password can ssh in directly (without having to go via a user 33ssh restart" as root.
34account). If you set it to no, then they must compromise a normal user 34
35account. In the vast majority of cases, this does not give added 35Disabling PermitRootLogin means that an attacker possessing credentials for
36security; remember that any account you su to root from is equivalent 36the root account (any credentials in the case of "yes", or private key
37to root - compromising this account gives an attacker access to root 37material in the case of "without-password") must compromise a normal user
38easily. If you only ever log in as root from the physical console, 38account rather than being able to SSH directly to root. Be careful to avoid
39then you probably want to set this value to no. 39a false illusion of security if you change this setting; any account you
40 40escalate to root from should be considered equivalent to root for the
41As an aside, PermitRootLogin can also be set to "without-password" or 41purposes of security against external attack. You might for example disable
42"forced-commands-only" - see sshd(8) for more details. 42it if you know you will only ever log in as root from the physical console.
43 43
44DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! 44Since the root account does not generally have non-password credentials
45 45unless you explicitly install an SSH public key in its
46The argument above is somewhat condensed; I have had this discussion 46~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
47at great length with many people. If you think the default is 47it, "without-password" should be a reasonable default for most sites.
48incorrect, and feel strongly enough to want to argue about it, then 48
49send email to debian-ssh@lists.debian.org. I will close bug reports 49For further discussion, see:
50claiming the default is incorrect. 50
51 https://bugs.debian.org/298138
52 https://bugzilla.mindrot.org/show_bug.cgi?id=2164
51 53
52X11 Forwarding 54X11 Forwarding
53-------------- 55--------------
diff --git a/debian/changelog b/debian/changelog
index 1b08a3d50..ad96cd6ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ openssh (1:6.6p1-1) UNRELEASED; urgency=medium
10 the characters before the wildcard character. 10 the characters before the wildcard character.
11 * Re-enable btmp logging, as its permissions were fixed a long time ago in 11 * Re-enable btmp logging, as its permissions were fixed a long time ago in
12 response to #370050 (closes: #341883). 12 response to #370050 (closes: #341883).
13 * Change to "PermitRootLogin without-password" for new installations, and
14 ask a debconf question when upgrading systems with "PermitRootLogin yes"
15 from previous versions (closes: #298138).
13 16
14 [ Matthew Vernon ] 17 [ Matthew Vernon ]
15 * Fix failure to check SSHFP records if server presents a certificate 18 * Fix failure to check SSHFP records if server presents a certificate
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
new file mode 100644
index 000000000..27594ad2d
--- /dev/null
+++ b/debian/openssh-server.config
@@ -0,0 +1,23 @@
1#! /bin/sh
2set -e
3
4. /usr/share/debconf/confmodule
5db_version 2.0
6
7get_config_option() {
8 option="$1"
9
10 [ -f /etc/ssh/sshd_config ] || return
11
12 # TODO: actually only one '=' allowed after option
13 perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
14 /etc/ssh/sshd_config 2>/dev/null
15}
16
17if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
18 [ "$(get_config_option PermitRootLogin)" = yes ]; then
19 db_input high openssh-server/permit-root-login || true
20 db_go
21fi
22
23exit 0
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 0189f5fbb..daa0f6796 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -1,6 +1,9 @@
1#!/bin/sh 1#!/bin/sh
2set -e 2set -e
3 3
4. /usr/share/debconf/confmodule
5db_version 2.0
6
4action="$1" 7action="$1"
5oldversion="$2" 8oldversion="$2"
6 9
@@ -193,7 +196,7 @@ LogLevel INFO
193 196
194# Authentication: 197# Authentication:
195LoginGraceTime 120 198LoginGraceTime 120
196PermitRootLogin yes 199PermitRootLogin without-password
197StrictModes yes 200StrictModes yes
198 201
199RSAAuthentication yes 202RSAAuthentication yes
@@ -305,8 +308,15 @@ if [ "$action" = configure ]; then
305 # restart it under systemd. 308 # restart it under systemd.
306 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true 309 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
307 fi 310 fi
311 if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
312 [ "$(get_config_option PermitRootLogin)" = yes ] &&
313 db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
314 set_config_option PermitRootLogin without-password
315 fi
308fi 316fi
309 317
310#DEBHELPER# 318#DEBHELPER#
311 319
320db_stop
321
312exit 0 322exit 0
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 000000000..a7ee70701
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,15 @@
1Template: openssh-server/permit-root-login
2Type: boolean
3Default: false
4_Description: Disable SSH password authentication for root?
5 Previous versions of openssh-server permitted logging in as root over SSH
6 using password authentication. The default for new installations is now
7 "PermitRootLogin without-password", which disables password authentication
8 for root without breaking systems that have explicitly configured SSH
9 public key authentication for root.
10 .
11 This change makes systems more secure against brute-force password
12 dictionary attacks on the root user (a very common target for such
13 attacks). However, it may break systems that are set up with the
14 expectation of being able to SSH as root using password authentication. You
15 should only make this change if you do not need to do that.
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 000000000..c619f3451
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
[type: gettext/rfc822deb] openssh-server.templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 000000000..70e64acad
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,46 @@
1# SOME DESCRIPTIVE TITLE.
2# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
3# This file is distributed under the same license as the PACKAGE package.
4# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
5#
6#, fuzzy
7msgid ""
8msgstr ""
9"Project-Id-Version: openssh\n"
10"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
11"POT-Creation-Date: 2014-03-20 02:06+0000\n"
12"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
13"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
14"Language-Team: LANGUAGE <LL@li.org>\n"
15"Language: \n"
16"MIME-Version: 1.0\n"
17"Content-Type: text/plain; charset=CHARSET\n"
18"Content-Transfer-Encoding: 8bit\n"
19
20#. Type: boolean
21#. Description
22#: ../openssh-server.templates:1001
23msgid "Disable SSH password authentication for root?"
24msgstr ""
25
26#. Type: boolean
27#. Description
28#: ../openssh-server.templates:1001
29msgid ""
30"Previous versions of openssh-server permitted logging in as root over SSH "
31"using password authentication. The default for new installations is now "
32"\"PermitRootLogin without-password\", which disables password authentication "
33"for root without breaking systems that have explicitly configured SSH public "
34"key authentication for root."
35msgstr ""
36
37#. Type: boolean
38#. Description
39#: ../openssh-server.templates:1001
40msgid ""
41"This change makes systems more secure against brute-force password "
42"dictionary attacks on the root user (a very common target for such attacks). "
43"However, it may break systems that are set up with the expectation of being "
44"able to SSH as root using password authentication. You should only make this "
45"change if you do not need to do that."
46msgstr ""